[Openid-specs-ab] Fwd: DNS Based OpenID Connect Discovery / Day 2 / Session 1
mike at gluu.org
Wed Oct 18 23:59:13 UTC 2017
OpenID Connect gurus,
Please take a moment to provide some feedback to Marcos.
Also, maybe someone remembers why Webfinger was selected in favor of DNS
in the first place?
-------- Original Message --------
Discussed draft created by Marcos Sanz, which can be found here:
1. DNS is already in use for discovery, while Webfinger is used only for
2. DNS is probably more secure then a web service
1. RP developers will have to support both methods, because some IDP's
may support one or the other.
2. RP developers will need a DNS client library to resolve discovery,
versus using a 100% web tools.
3. Webfinger can handle more complex discovery rules, especially where
email is at the top level, but there may be a number of underlying
OpenID Providers. For example, let's say there are OP's at us.corp.com,
emea.corp.com, and china.corp.com. But... all email for users is at
___ at corp.com for simplicity. DNS might struggle to implement the
business logic for this scenario.
4. Oversimplifying a little... in some large enterprise environments,
coordination with the "DNS department" adds some complexity to a rollout
where OpenID Connect is primarily an operational concern of the "web
Although there was a fair amount of skepticism, there did seem to be a
case for supporting this, as it would be sufficient in the vast number
of cases, and management of a one-off discovery service is not ideal for
PS: Sorry Marcos about my chromebook / video conferencing challenges. I
forgot that would be a lot harder when I'm not using my laptop!
More information about the Openid-specs-ab